First published: Thu May 11 2023(Updated: )
LuaTeX before 1.17.0 allows a document (compiled with the default settings) to make arbitrary network requests. This occurs because full access to the socket library is permitted by default, as stated in the documentation. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Luatex Project Luatex | >=0.27.0<1.17.0 | |
Miktex Miktex | >=2.9.0<23.5 | |
Tug Tex Live | >=2009<2023 | |
ubuntu/texlive-bin | <2019.20190605.51237-3ubuntu0.2 | 2019.20190605.51237-3ubuntu0.2 |
ubuntu/texlive-bin | <2022.20220321.62855-6 | 2022.20220321.62855-6 |
ubuntu/texlive-bin | <2021.20210626.59705-1ubuntu0.2 | 2021.20210626.59705-1ubuntu0.2 |
debian/texlive-bin | <=2018.20181218.49446-1<=2018.20181218.49446-1+deb10u2<=2020.20200327.54578-7+deb11u1 | 2022.20220321.62855-5.1+deb12u1 2023.20230311.66589-9 |
https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/commit/b266ef076c96b382cd23a4c93204e247bb98626a
https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/commit/e7df9234420973a2f69aac1b10cbb5f00b0cda4d
https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/commit/da4492c789e25f05255d54e45447d3da79098967
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Vulnerability CVE-2023-32668 is a vulnerability in LuaTeX versions before 1.17.0 that allows a document to make arbitrary network requests.
LuaTeX versions before 1.17.0, TeX Live versions before 2023 r66984, and MiKTeX versions before 23.5 are affected by CVE-2023-32668.
The severity of vulnerability CVE-2023-32668 is medium, with a CVSS score of 5.5.
To fix vulnerability CVE-2023-32668, you should update LuaTeX to version 1.17.0 or later, TeX Live to version 2023 r66984 or later, or MiKTeX to version 23.5 or later.
More information about vulnerability CVE-2023-32668 can be found in the following references: [Reference 1](https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/blob/b266ef076c96b382cd23a4c93204e247bb98626a/source/texk/web2c/luatexdir/ChangeLog#L1-L3), [Reference 2](https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0), [Reference 3](https://tug.org/pipermail/tex-live/2023-May/049188.html)